Code Reference

Execution Policy

PowerShell · Reference cheat sheet

Execution Policy

PowerShell · Reference cheat sheet


📋 Overview

Execution policy is a safety gate controlling which scripts can run—not a security boundary. Policies differ by scope (Process, CurrentUser, LocalMachine). Prefer RemoteSigned for interactive machines; use process-scoped bypasses for CI without changing machine policy.

🔧 Core concepts

PolicyEffect
RestrictedNo scripts
AllSignedOnly signed scripts
RemoteSignedLocal OK; downloaded need signature
UnrestrictedWarn on remote; run
BypassNothing blocked
UndefinedDefer to other scopes
ScopeTypical use
ProcessCurrent session only
CurrentUserPer-user registry
LocalMachineMachine-wide (admin)

Zone Identifier alternate data streams mark “downloaded” files on Windows.

💡 Examples

Inspect and set:

Get-ExecutionPolicy -List
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

One-off bypass (CI / troubleshooting):

pwsh -ExecutionPolicy Bypass -File .\deploy.ps1
Set-ExecutionPolicy Bypass -Scope Process

Unblock downloaded file:

Unblock-File -Path .\Install-Thing.ps1
Get-Item .\Install-Thing.ps1 -Stream *

⚠️ Pitfalls

  • Execution policy does not stop a determined user (powershell -Command, bypass, copying contents).
  • Group Policy may override your Set-ExecutionPolicy—check -List.
  • USB/network files may still be treated as remote.
  • Signing requires certificates and maintenance—don’t adopt AllSigned casually.
  • On non-Windows, policies are largely Unrestricted / less relevant—still use -File carefully.
  • Don’t set LocalMachine Bypass on shared workstations without need.

On this page